Business Associate Agreements: Fact vs Fiction

HIPAA covered entities form partnerships with third parties to safeguard their data assets effectively. Business associate agreements (BAAs) formalize these relationships and, importantly, describe the HIPAA-related risks and responsibilities that business associates (BAs) will take on.

The written contract between the covered entity and business associate must meet the following requirements:

State the permitted and required uses and disclosure of PHI by the BA.

Assure that the BA will not use or share information other than as required or permitted by the contract or by law.

Require the BA to implement suitable safeguards to prevent the unauthorized use of information, including deploying the requirements of the HIPAA Security Rule as it relates to protected health information.

Report to the covered entity any use or disclosure of information not provided for by the contract.

Agree to disclose PHI to meet the covered entity’s obligation to provide individuals a copy of their PHI, and also either provide PHI for amendments or incorporate amendments.

Adhere to the requirements of the Privacy Rule to the extent required.

Provide to the Department of Health and Human Services records, practices and books related to the use and disclosure of PHI.

At the termination of the contract, destroy or return all PHI created or received by the BA on behalf of the covered entity.

Ensure that any subcontractors the BA engages must comply with substantially the same conditions and restrictions that apply to the BA.

Authorize termination of the contract by the covered entity if the BA violates a material term of the contract.

Are BAAs standard or customizable?

Most providers have a standard BAA that offers no or minimal opportunities for amendment. At the most, the agreement will replace any previous agreement for the same services indicated in the agreement.

Providers may be willing to edit a contract if you can make a suitably large payment to them. This is understandable given that the provider will need to factor in and behave in accordance with the varied rule changes. The complexity it creates can be counterproductive and hurt security or lead to inconsistencies. Working off a standard legal contract contributes to overall efficiency and ensures that employees have uniform expectations.

What are some commonly included requirements that are not actually needed?

Not every requirement that may make its way into a business associate agreement is necessary. Here are some examples:

Although HIPAA provides the maximum timeframes for reporting breaches or in relation to individual rights such as PHI access and amendment, some covered entities may include shorter timeframes. This poses a problem if you – as the BA – engage subcontractors as they will need time to notify you of incidents only after which you can report to covered entities.

A HIPAA privacy or security breach can result in a massive financial liability and loss of reputation. The Omnibus Rule makes business associates directly liable for HIPAA violations and breaches. Given this direct liability, an indemnification clause is not required.

An indemnification clause intends to commit the indemnifying party to either reimburse or cover the obligation of the other party in the event of an incident resulting from the indemnifying party’s actions. As the BA causing damages can be directly penalized by the government, indemnification provision can be struck off or replaced by a limitation of liability.

The HHS requires access to the BA’s books but the covered entity does not. Such provisions need to be appropriately edited.

Some covered entities may review BAAs to address HIPAA as well as state law. They may expand the scope of the agreement to include all personal information handled by BAAs, not only PHI. They could alter the definition of a ‘breach’ to reflect applicable state laws. Covered entities also have the opportunity to advise their BAs, particularly those in other states, about any increased compliance expectations resulting from state laws.

Common myths about BAs and BAAs

A cloud storage company cannot be a BA because it only stores information: Under the Omnibus Rule, any entity that maintains protected health information is a business associate.

A covered entity should ensure that the agreement is signed by every business associate: The regulatory definition drives the status of a business associate. A business associate agreement is not a contract for services or the usual non-disclosure agreement. It is possible that a business associate may refuse to sign a BAA and a covered entity may make reasonable efforts to ensure it does. On the other hand, a business associate that wants to do business with a covered entity will inevitably have to sign a business associate agreement.

Covered entities can take it a bit easy given that BAs are directly liable for breaches: Breaches have an adverse effect on covered entities’ patients as well as the entity itself. Covered entities need to carefully review the actions and inactions of their business associates as they are ultimately liable for any breaches by the BA.